The present invention relates to authentication methods and systems for accessing networks. In particular, the invention relates to authentication methods and systems for accessing the Internet.
As network technologies continue to evolve, the possibility of connecting people and organizations together in more efficient arrangements grows. Networks such as the cellular phone networks give individuals the ability to move around freely, yet still communicate over the telephone with other individuals. For example, in the last few years the explosive growth of the use of cellular phones has increased tremendously the ability of people to connect with other people from a variety of different locations (i.e. in the car, at a restaurant, in the super market). As societies become more and more mobile, new solutions are required to satisfy the growing demands and needs of these mobile individuals.
As one example, consider the traditional network paradigm for Internet access. Traditionally, there are a couple of different ways for an individual to access the Internet. First, the individual might have a personal account with an Internet Service Provider (ISP) whereby they can access the Internet through, for example, their home computer. Their home computer establishes a link with the ISP through a modem or special communication line. Once the link is established, generally over a wired line, they can typically use ISP-provided software to browse the Internet. In this example, an individual""s Internet access is either tied to their wired link provider, or to the ISP through which they have their account. Second, an individual might be able to access the Internet through a network that is provided and maintained by their employer. While they are at work, they can access the Internet through the use of employer-provided resources. In this example, an individual""s Internet access is tied to their employer and/or their employer""s resources.
Neither of these paradigms provides an individual with the freedom to access the Internet from any location and without any dependence on a particular ISP or their company. Rather, Internet accessibility for these individuals is necessarily tied to either or both of (1) signing up for an account with a particular ISP for Internet access, or (2) being a member of a particular corporation through which Internet access is provided. It would be desirable to eliminate the dependence of Internet access on either or both of these elements.
Presently, there is much enthusiasm around the impending deployment and availability of the so-called xe2x80x9cthird generationxe2x80x9d (3G) wide-area cellular networks. These 3G wide-area cellular networks will give individuals the ability to connect to other individuals, via a cellular phone, from many different locations. Furthermore, these networks will enable individuals to transmit and receive data packets which are necessary for Internet communications.
There are, however, limitations that are inherent with both the current wide-area cellular networks and the future 3G wide-area cellular networks that make their use as an Internet connectivity medium less than desirable. For example, current wide-area data networks (e.g. which use a Ricochet modem from Metricom) support transmission rates that are about 50 Kbps. In the next few years, when 3G wide-area cellular networks are available, the data packet transmission rates are expected to go up to around 2 Mbps per cell size. Each cell is generally sized between 1 to 2 miles in diameter, depending on where the cell is located. A data rate of 2 Mbps per cell size means that the maximum data rate an individual in a cell can hope to get will be around 2 Mbps when there are no other individuals using the network. A more realistic scenario is the case where there are several hundred individuals in a single cell. In this case, any individual might get only 100 to 150 kbps of bandwidth for data transmission. This transmission rate is frustratingly slow and will inevitably lead to customer dissatisfaction.
In the local area networking space (i.e. networking within a building or a home), transmission rates are as high as 11 Mbps today. In the near future, these rates are expected to go up to around 54 Mbps. In the more distant future (e.g. in about 5 years), this rate is expected to be upwards of 100 Mbps. Thus, there is a disparity between local area wireless network (WLAN) system performance and wide area wireless network (WWAN) system performance in terms of access speeds. Using the above transmission rates, it can be seen that the difference in system performance is about 25 times faster in WLANs than in WWANs.
This has led to a problem for which a solution has not yet been found. The problem concerns how to provide high speed Internet access from all places beyond those traditionally in the domain of LANs (i.e. corporations and homes). For example, individuals often spend a great deal of time in public places such as airports, libraries, and restaurants. Yet, Internet access is not typically provided in these public areas. If Internet access is provided, it is typically tied to a particular ISP and the consumer really has no choices whatsoever concerning such things as quality of service, type of service available, and the like.
Accordingly, this invention arose out of concerns associated with improving network access so that a network, such as the Internet, can be accessed from a variety of places or locations at high speeds. In particular, the invention arose out of concerns associated with enhancing Internet wireless connectivity speeds in the wide area.
Various embodiments pertain to enhancing wireless functionality, and particularly to providing fast network access, e.g. Internet access, by pushing local area wireless network system performance and functionality into the wide area space. Wide area data networking data rates are much slower than local area data networking rates. Aspects of the described embodiments exploit the higher data rates that are available through the use of local area networks pushing this functionality into the wide area space. Aspects of the described embodiments have applicability in both wireless and wired networks.
In one embodiment, an architecture is provided, by one or more host organizations, for providing individuals with fast wireless access to the Internet. These networks are advantageously deployed in public areas such as airports, shopping malls, libraries etc. The host organization may partition this network either physically, or logically, into several smaller networks called subnets. Each subnet may include a PANS (Protocol for Authentication and Negotiation of Services) Server and a Policy Manager. A mobile user typically establishes a communication link with the PANS server through an Access Point, and thereafter wirelessly transmits and receives data to and from the Internet via the PANS server. The positioning of the PANS server in the subnet is such that data traffic from all users connected to this subnet goes through this server before reaching any other network, including the Internet.
The PANS server is programmed to perform a number of different functions in connection with providing network or Internet access. In one embodiment, the PANS server ensures that users are authenticated to the system before allowing them to send and receive data packets to and from the Internet. In one aspect, authentication takes place through the use of an authentication database. In one embodiment, the authentication database is a globally accessible database and authentication takes place in a secure manner between the client and the database (i.e. the PANS server is not privy to the exchange of the information during authentication). In another embodiment, the authentication database is available locally to the PANS server. After the global or the local database authenticates the user, the user receives a unique token or key from the PANS server. The user uses this token or key to identify himself or herself to the PANS server in all subsequent data packet transmissions. All user data packets containing this token or key, intended for the Internet, are allowed passage through the PANS server.
In one embodiment, the user is given various choices concerning Internet accessibility and the levels of service that are provided. For example, the PANS server is programmed, in some embodiments, to negotiate with ISPs for Internet access on behalf of users that are unaffiliated with an ISP. A user can define the type of access they want (i.e. data rate, and perhaps the price they are willing to pay), and the PANS server handles negotiation with the ISPs on the user""s behalf.
In another embodiment, the PANS server provides flexible levels of security for the user or client. For example, each user or client can be issued his or her own key, dynamically generated by the PANS server, for use in encrypting data packets that are transmitted to the PANS server. Each key can be of an arbitrary length that is selectable by the user or the PANS server. In addition, the PANS server can have a number of different encryption algorithms from which to choose when a user is authenticated. Thus, a user can be handed a key having an arbitrary length, and a randomly selected encryption algorithm to use when encrypting their data packets.
In another embodiment, the PANS server is programmed to account for the data packets that pass through it. Accounting for the data packets assists the PANS server in charging clients for using the network, e.g. on a per packet or a per byte basis, or a per transaction basis. In addition, accounting for the data packets can help the PANS server in scheduling data packets for transmission.
In another embodiment, the PANS server is configured to provide the user with an option to select a quality-of-service (QoS) level. Different costs can be associated with different QoS levels. For example, a premium level can provide the highest degree of security and a guaranteed amount of bandwidth. Other levels might provide lesser degrees of security and lesser amounts of bandwidth. In one aspect, the highest service level is available on a user-by-user basis where individual users have a guaranteed a fixed amount of bandwidth and a very high degree of security. Lesser levels of service are defined in terms of groups, where each group contains a plurality of users. Bandwidth allocations in these groups take place on a group basis, with members of the groups having to arbitrate for use of the available allocated bandwidth. Each user is thus assured of receiving a fair share of the associated allocated bandwidth.
In another embodiment, dynamic compression is utilized to ensure that data packets are transmitted in an optimal manner. In the described wireless embodiment, the PANS server (or the client) monitors the wireless medium for transmission errors that might be caused by an obstruction in the line of sight between the client and an access point. Whenever a predetermined number of errors are detected, measures are taken to lessen the degree of compression that is utilized on the data packets. When the errors abate, the degree of compression is increased. In effect, the amount of compression is modulated by the amount of transmission errors that are detected during a sample period.
In another embodiment, a user interface is provided and provides feedback to the user regarding their service level. Through the interface, the user can adjust their quality of service level and observe a feedback mechanism that confirms their quality of service level, i.e. actual bandwidth provided by the network.
In addition to the PANS Server, there exists a Policy Manager which includes and manages various policies that determine the context of a particular user""s interaction with the network. For example, the Policy Manager can define the level of service that a user receives, control access to host organization""s resources such as printers and fax machines etc., and the like. The Policy Manager and the PANS server are communicatively linked so that the PANS server can enforce the policies from the Policy Manager on a per user and per connection basis.